[openssl-dev] confusion with rsa_meth_st in a custom RSA engine
Dr. Stephen Henson
steve at openssl.org
Mon Aug 28 17:32:30 UTC 2017
On Mon, Aug 28, 2017, Brett R. Nicholas wrote:
> > The rsa_mod_exp function is only called for private key operations. You can't
> > tell if it is a private encrypt or a private decrypt though but that
> > shouldn't matter because the operation performed at that level is the same for
> > both.
>
> Ah, I see. So to clarify (pls correct me if I'm wrong):
>
> * rsa_mod_exp() is the modular exponentiation function that openSSL will attempt to use for all private key operations (if RSA_FLAG_EXT_PKEY is set, or the private parameters of that method are non-null), before defaulting to bn_mod_exp().
> * And bn_mod_exp() is the modular exponentiation function used by all public key operations
>
>
> So in my case, I should set RSA_FLAG_EX_PKEY in my engine's RSA_METHOD struct, and then implement my own versions of rsa_mod_exp (for the private key encryption/decryption), and bn_mod_exp (for the public key encryption/decryption).
>
>
Yes. Note also that if you set the public key components (n, e) you don't need
to perform the public key operations in your ENGINE if you keep the original
bn_mod_exp(): OpenSSL will do them for you. If possible you should set the
public key components anyway: some operations such as generating certificate
requests require them to be present.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-dev
mailing list